XSS mitigation in browsers

Hi public-web-security,

I'm not sure if this the right forum for discussing new browser
features that help mitigate cross-site scripting.  If not, please feel
free to point me to a better forum.

As I'm sure many of you are aware, various folks from Mozilla have
proposed Content Security Policies
<https://wiki.mozilla.org/Security/CSP> as a way of improving the
security of web pages by including a security policy.  I'm interested
two aspects of CSP:

1) Cross-site scripting mitigation
2) Notification of policy violations

The simplest design I could think of that achieves those goals is
described on this wiki page:


The design is largely inspired by CSP, but different in a few ways:

1) Instead of using HTTP headers, the policy is expressed in HTML.  Of
course, authors will want to place the policy as early as possible in
their document, so we're using a meta element, which can be placed in
the head of the document.

2) Instead of exposing policy levers for every kind of resource load,
this proposal only lets the author control the source scripts.  This
focus on scripts is motivated by wanting to prevent the attacker from
injecting script into the page.

3) Instead of reporting violations to the server via HTTP, this
proposal simply generates a DOM event in the document.  The author of
the page can listen for the event and wire it up to whatever analytics
the author uses for other kinds of events (e.g., mouse clicks).

Let me know if you have any feedback on this proposal.  In general,
I'm more interested in feedback that leads to simplification rather
than feedback that leads to more complexity.


Received on Wednesday, 19 January 2011 22:43:49 UTC